-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Erik-Jan Bos (CERT-NL) Index : S-92-20 Distribution : SURFnet constituency Page : 1 Classification: External Version: Final Subject : Sun Security Bulletin #00118 Date : 17-nov-92 =============================================================================== CERT-NL has received information from Sun Microsystems regarding the availability of the following eighteen security patches for SunOS versions 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and Solaris 2.0 (which contains SunOS 5.0). The patches are available both through your local Sun Answer Center and anonymous ftp. The nearby anonymous FTP server containing these patches is ftp.nic.surfnet.nl [192.87.46.2]. Retrieve the patches from the netman/cert-nl/sun-fixes directory. The patches are contained in compressed tar files named [patch].tar.Z. For example, if you wish to obtain patch 100103-11, the tarfile would be 100103-11.tar.Z. Each patch has been checksummed using the SunOS "sum" command so its validity can be verified by the end user. If you find that the checksum differs from that listed below, please contact Sun Microsystems or CERT-NL for confirmation before using the patch. To install the patches on your system, follow the instructions contained in the README files which accompany each patch. To avoid needless international network traffic CERT-NL advises to obtain the patches from the above mentioned server and not from the servers mentioned in the Sun provided text below. - --- Start of Sun provided text SUN MICROSYSTEMS SECURITY BULLETIN: #00118, 11 November 92 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. - --------------------------------------------------------------------------- All patches listed are available through your local Sun answer centers worldwide as well as through anonymous ftp: in the US, ftp to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist directory; in Europe, ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory. Note that Sun does not have direct access to mcsun.eu.net and must request that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there may be a time lag before patches appear on mcsun.eu.net. Please refer to the BugId and PatchId when requesting patches from Sun answer centers. - ---------------------------------------------------------------------------- BULLETIN TOPICS I. Patches that contain fixes for new bugs. These patches were also updated for 4.1.3 compatibility if applicable. A. 100103-11 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: script to change file permissions to a more secure mode B. 100173-09 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: NFS Jumbo Patch C. 100201-06 - SunOS 4.1, 4.1.1: C2 Jumbo Patch D. 100267-09 - SunOS 4.1.1: international libc replacement with all 4.1.1 patches E. 100305-10 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: lpr, lpd, lpstat F. 100377-05 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: sendmail, sendmail.mx G. 100507-04 - SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch H. 100513-01 - SunOS 4.1 4.1.1 4.1.2 4.1.3: jumbo tty patch I. 100564-05 - SunOS 4.1.2, 4.1.3: C2 Jumbo Patch J. 100723-01 - Solaris 2.0FCS/SunOS 5.0, install creates security holes II. Patches upgraded for SunOS 4.1.3 A. 100296-04 - SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world B. 100482-03 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: ypserv, ypxfrd C. 100372-02 - SunOS 4.1.1, 4.1.2, 4.1.3: tfs and c2 do not work together D. 100383-05 - SunOS 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3: rdist security enhancement E. 100567-04 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: icmp redirects, mfree panic F. 100630-01 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: login international, su, LD_ environment variables G. 100633-01 - SunOS 4.1.1,4.1.2, 4.1.3: unbundled SunSHIELD ARM 1.0, "LD_" environment variables can be used to exploit login/su, International version. ============================================================================== SPECIAL NOTE: Upgraded patches 100173-09, 100507-04, 100513-01, and 100567-04 all require that a new kernel be configured, made, and installed. All four patches provide significant security enhancements. Note that the installer need only build a new kernel once, after loading in the object files (".o" files) from one or more of the mentioned patches. ============================================================================== PATCHES THAT CONTAIN FIXES FOR NEW BUGS A. Sun Patch ID: 100103-11, shell script modification of file permissions to a more secure mode. Sun Bug IDs: 1046817, 1047044, 1048142, 1054480, 1037153, 1039292, 1042662 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: The script for this patch has been tested on 4.1.3 and also changes the permissions for two additional files: /var/yp/`domainname`/mail.aliases.dir and /var/yp/`domainname`/mail.aliases.pag. Checksum of compressed tarfile 100103-11.tar.Z on ftp.nic.surfnet.nl = 19847 6 B. Sun Patch ID: 100173-09, NFS Jumbo Patch Sun Bug IDs: 1039977, 1032959, 1029628, 1037476, 1038302, 1034328, 1045536, 1030884, 1045993, 1047557, 1052330, 1053679, 1041409, 1065361, 1066287, 1064433, 1070654, 1076985, 1095935, 1097593 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugid 1097593 Problem Description: Bug 1097593 - Accessing NFS mounted files as root causes any application not to be able to access the same file regardless of the file's permissions. Checksum of compressed tarfile 100173-09.tar.Z on ftp.nic.surfnet.nl = 28314 788 C. Sun Patch ID: 100201-06, C2 Jumbo Patch Sun Bug IDs: 1059261, 1043667, 1040465, 1044204, 1040334, 1047131, 1049585, 1058378, 1063796, 1085851, 1097292 SunOS release: 4.1, 4.1.1 (Please refer to Patch 100564-05 for 4.1.2, 4.1.3) Synopsis: Bug fixes for 1063796, 1085851, 1097292 Problem Description: Bug 1063796 - when running C2 with NIS, yppasswd from client system would take 5 minutes delay. Bug 1085851 - a dynamically-linked program that is executed by a setuid program has access to the callers environmental variables if the setuid program sets the real UID equal to the effective UID and the real GID equal to the effective GID before the dynamically-linked program is executed. Bug 1097292 - rpc.pwdauthd's core image contains plaintext passwords and passwd.adjunct file. Checksum of compressed tarfile 100201-06.tar.Z on ftp.nic.surfnet.nl = 13145 164 D. Sun Patch ID: 100267-09, international libc replacement with all 4.1.1 patches Sun Bug IDs: 1034993, 1045471, 1033812, 1038500, 1050040, 1051619, 1053346, 1053356, 1052398, 1069731, 1069726, 1033104, 1069972, 1061071, 1054748, 1049421, 1070565, 1059039, 1072740, 1088455, 1041424, 1087375, 1053431, 1093261, 1091493 SunOS release: 4.1.1 Synopsis: Bug fixes for 1053431, 1093261, 1091493 Problem Description: Bug 1053431 - innetgr may acknowledge false netgroup membership. Bug 1093261 - undefined symbols when linking statically with "mblen()". Bug 1091493 - mbtowc and mbstowcs give different results for same character. Checksum of compressed tarfile 100267-09.tar.Z on ftp.nic.surfnet.nl = 55338 5891 E. Sun Patch ID: 100305-10, passwd, lpd, lpr, delete, system, lpstat -v Sun Bug IDs: 1016437, 1040453, 1057834, 1058003, 1059620, 1061504, 1063772, 1081850, 1081968, 1090527 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugid 1090527 Problem Description: Bug 1090527 - lpstat -v only returns the second entry from printer alias list. Checksum of compressed tarfile 100305-10.tar.Z on ftp.nic.surfnet.nl = 28781 368 F. Sun Patch ID: 100377-05, sendmail Jumbo Patch Sun Bug IDs: 1056203, 1030087, 1068637, 1085853, 1041284, 1092073, 1092650, 1093667, 1089670, 1084351 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugids 1093667, 1092650, 1092073, 1089670, 1084351 Problem Description: Bug 1093667 - Sendmail doesn't generate error mail in error conditions. Bug 1092650 - Sendmail truncates the header if the header length is too long. Bug 1092073 - sendmail loops on mail where name of recipient contains eight bit character(s). Bug 1089670 - Sendmail.mx doesn't handle subdomains. Bug 1084351 - Sendmail gets 550 user unknown during "rcpt to" right after reboot. Checksum of compressed tarfile 100377-05.tar.Z on ftp.nic.surfnet.nl = 29141 1076 G. Sun Patch ID: 100507-04, tmpfs jumbo patch Sun Bug IDs: 1038651, 1091294, 1089447, 1083412 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugid 1083412 Problem Description: Bug 1083412 - copying files from an nfs mounted partition to a tmpfs mount can result in security breach. Checksum of compressed tarfile 100507-04.tar.Z on ftp.nic.surfnet.nl = 57590 61 H. Sun Patch ID: 100513-01, Jumbo tty patch Sun Bug IDs: 1008324, 1040722, 1048128, 1060689, 1064320, 1069768, 1070495 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: This patch is a consolidation of patches 100225-02, 100194-02, 100397-01, 100188-02 (TIOCCONS), 100358-01, and 100414-01; it also includes a fix for bugid 1064320. As such this patch supersedes these previous patches. Problem Description: Bug 1064320 - in a 4/110 with ALM-2, null characters are not echoed with a Hayes Smartmodem1200. Bug 1008324 - TIOCCONS can be used to re-direct console output/input away from "console" (for obsolete patch 100188-02). Checksum of compressed tarfile 100513-01.tar.Z on ftp.nic.surfnet.nl = 20616 480 I. Sun Patch ID: 100564-05, C2 Jumbo Patch Sun Bug IDs: 1040334, 1043667, 1058378, 1059261, 1063796, 1039587, 1097292 SunOS release: 4.1.2, 4.1.3 (Please refer to Patch 100201-06 for 4.1, 4.1.1) Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugids 1097292 and 1006905 Problem Description: Bug 1097292 - rpc.pwdauthd's core image contains plaintext passwords and passwd.adjunct file. Bug 1006905 - rpc.yppasswdd can sometimes corrupt passwd dbm files Checksum of compressed tarfile 100564-05.tar.Z on ftp.nic.surfnet.nl = 00115 824 J. Sun Patch ID: 100723-01, Solaris 2.0FCS install Sun Bug IDs: 1098207 SunOS release: Solaris 2.0FCS/SunOS 5.0 Synopsis: Solaris 2.0FCS/SunOS 5.0 install creates security holes Problem Description: Bug 1098207 - Solaris 2.0FCS install procedures leave world-writable directories, thus opening a path for normal users to gain root privileges. Note that this patch contains a README file only. The README file instructs the installer to run the following command as root after the installation of Solaris 2.0: # pkgchk -f The command above will correct improperly set directory and file attributes created during the installation process. Checksum of compressed tarfile 100723-01.tar.Z on ftp.nic.surfnet.nl = 22726 1 ============================================================================== UPGRADED PATCH INFORMATION FOR SUNOS 4.1.3 COMPATIBILITY A. Sun Patch ID: 100296-04, netgroup exports to world Sun Bug IDs: 2000680, 1044852, 1048890, 1047410 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 Checksum of compressed tarfile 100296-04.tar.Z on ftp.nic.surfnet.nl = 42492 40 B. Sun Patch ID: 100482-03, ypserv and ypxfrd security patch Sun Bug IDs: 1036869, 1039839, 1082319, 1082320, 1080353 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 Please note that the /var/yp/securenets configuration file that is provided in this patch does not support blank lines. Checksum of compressed tarfile 100482-03.tar.Z on ftp.nic.surfnet.nl = 27837 342 C. Sun Patch ID: 100372-02, tfs and c2 do not work together Sun Bug IDs: 1052574 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.2 and 4.1.3 compatibility Checksum of compressed tarfile 100372-02.tar.Z on ftp.nic.surfnet.nl = 22739 712 D. Sun Patch ID: 100383-05, rdist security enhancement Sun Bug IDs: 1069497, 1074961 SunOS release: 4.0.3, 4.1, 4.1.1, 4.1.2 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Checksum of compressed tarfile 100383-05.tar.Z on ftp.nic.surfnet.nl = 52230 135 E. Sun Patch ID: 100567-04 Sun Bug IDs: 1087460, 1093937 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Checksum of compressed tarfile 100567-04.tar.Z on ftp.nic.surfnet.nl = 15728 11 F. Sun Patch ID: 100630-01, login international, su, LD_ environment variables Sun Bug IDs: 1085851 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Note that this patch contains the international version of /bin/login that users who are not using the US Encryption Kit need to install. Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su and /usr/5bin/su from this international patch are suitable for sites that use the US Encryption Kit. Export restrictions prevent putting patch 100631-01 onto anonymous ftp sites. Please contact your Sun Answer Center for patch 100631-01. Checksum of compressed tarfile 100630-01.tar.Z on ftp.nic.surfnet.nl = 28074 39 Checksum of compressed tarfile 100631-01.tar.Z on ftp.nic.surfnet.nl = 44444 25 G. Sun Patch ID: 100633-01, Unbundled SunSHIELD/ARM: login international, su, LD_ environment variables Sun Bug IDs: 1085851 SunOS release: 4.1.1, 4.1.2, 4.1.3; Unbundled Product: SunSHIELD, ARM Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Checksum of compressed tarfile 100633-01.tar.Z on ftp.nic.surfnet.nl = 33264 20 =========================================================================== Sun Microsystems acknowledges the Department of Energy's Computer Incident Advisory Capability (CIAC), especially the efforts of Karyn Pichnarczyk, for their assistance in and review of patch revision issues pertaining to SunOS 4.1.3. Sun Microsystems recommends that all customers concerned with the security of their SunOS system(s) obtain and install the patches that are applicable to their computing environment. - --- End of Sun provided text CERT-NL wishes to thank Sun Microsystems for their effort in making this information, together with the patches, available. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6V/DSYjBqwfc9jEQIhIwCg2UKFUPqxEf4BL/SCtbqlIdxsCUcAnAyW IxL1BhCj+ZNTuKd4e8mGlBB/ =8WmM -----END PGP SIGNATURE-----